Closed thomas-fossati closed 3 years ago
Thanks for reporting them here! I also added the following to my ballot (IANA expert comments):
Also wanted to point out the IANA Designated Expert review to make sure it is addressed (found in the datatracker, but which I report here for simplicity as well) - thank you to Richard Barnes for it:
- The "delegation" field is currently attached to the "identifier" object, which is a bad semantic fit in a few ways. ACME orders can have multiple identifiers, and delegations can describe multiple SAN values, yet this design assumes singularity on both sides. This field should be moved to the order object; in fact, if you wanted to be more radical, you could even use it to replace the "identifiers" field in the newOrder request.
- The "allow-certificate-get" field is listed as configurable. It seems like this is a matter of CA policy, so it should either be non-configurable, or if you allow the client to request a value for it, there should be a clear specification that the server is allowed to ignore the client's preference.
Thanks for reporting them here! I also added the following to my ballot (IANA expert comments):
Also wanted to point out the IANA Designated Expert review to make sure it is addressed (found in the datatracker, but which I report here for simplicity as well) - thank you to Richard Barnes for it:
Sure. These two are tracked as #171 and #172 .
Ah, didn't see them. Thanks!
uCDN is configured to delegate to dCDN, and CP is configured to delegate to uCDN, both as defined in Section 2.3.1.
FP: Re Figure 12: I assume that 0. refers to the configuration CP and uCDN share? In this case, why is there no arrow between uCDN and dCDN? If my assumption is wrong, then what's the meaning of 0?
Good catch, thanks!
0 is the ACME account setup, which we assume as a precondition (see Section 2.3.1.1), and is therefore redundant. I will remove it.
FP: This document defines two new registry, one with policy Specification required and the other Expert review (both of which will need designated experts). https://tools.ietf.org/html/rfc8126#section-5.3 states that:
When a designated expert is used, the documentation should give clear guidance to the designated expert, laying out criteria for performing an evaluation and reasons for rejecting a request. In the case where
I have noticed that RFC 8555 only provided guidance for one of its registries, and that the registries are quite straight forwards, but I still believe that having some guidance for the experts to evaluate requests helps.
Yaron has provided a fix for this in #179. (Note that we have dropped one of the two registries because of #171)